I have a feedback form which will take a couple of user inputted fields along with a few fields generated by PHP functions like ‘user-agent’ and ‘referer.’
My question is should these strings be sanitized before being inputted? I realize one could easily alter the user-agent and the referring page, but could it be possible for a visitor to add a SQL injection like string so when PHP pulls this info it potentially breaks my form?
For instance if a user changed their user-agent or referring page to include the string Robert'); DROP TABLE Students;--
Advertisement
Answer
Simple Answer: validate/sanitize/escape everything (like client-side data, for example) because everything could be modified and evil or contain unexpected characters that could break your query (like Col. Shrapnel explained).
to minimize risk you should also about using prepared statements instead of building SQL-strings on your own (Note: this doesn’t mean you can leave out the checks).